The emergence of the Data Marketplaces is the latest iteration in the phenomenon of data-driven transformation of the world. Data marketplaces have emerged as a new form of data-driven business models which enable trading of data between the data owners/providers and data consumers by providing the necessary technological and non-technological infrastructure. These features present an alternative to the cumbersome logistics currently involved in searching, buying and selling data; thus, simplify the data supply chains between the data-driven business entities. However, they suffer to take off into mainstream success because of a myriad of reasons. Of all the reasons, 2 of them are focused in this thesis. Firstly, the difficulty involved in architecturally enabling a data marketplace platform as the prospective enabling technologies are still immature. Secondly, the uncertainty associated with the commodification of data which comprises of the intellectual property enforcement of data (data ownership), privacy and confidentiality breach (threats), regulatory ignorance (implication of GDPR), reluctance of businesses from participating because of the previous reasons et cetera. This reason is collectively referred as due to the uncertainty around the threat landscape of the data marketplaces. Multi-Party Computation (MPC) technology provide a solution to these problems. Through its capabilities to preserve the confidentiality of data architecturally and thereby securing the interests of the data actors with respect to the uncertainty of the threat landscape around data, MPC can enable safe and secure data sharing between data actors. This characteristic of MPC can help data marketplaces to overcome their challenges and foster their realisation. However, since MPC cannot handle the scale of real-life application, it is not mature enough yet to be incorporated into real-life data marketplaces. An EU funded project called SafeDEED: Safe Data-Enabled Economic Development, proposes to overcome the scalability issue and intends to achieve the maturation of MPC for real-life application. Building upon this forecast, a research was conducted to investigate the implication of the maturation of MPC technology towards the 2 problems faced by data marketplaces, architectural and threat landscape; and the same is documented in this thesis.

In the past decade, the world has experienced numerous severe and impactful data breaches, without indications of this development slowing down. Even worse, research has shown data breaches are still waiting to happen. The occurrence of a data breach has consequences for several involved parties and for society in general. It is therefore only natural that there exists a pursuit to prevent data breaches from happening. Research claims that data breaches happen because of simple and preventable errors made by human, also known as security misconfigurations. This study aims to investigate whether the root causes of severe data breaches are frequently related to security misconfigurations, which would make most data breaches preventable. No such structured research had been done before. We conducted a multiple case study, wherein a number of data breaches was analysed based on publicly available case literature. Assessing the data breaches with the help of our developed framework was part of that analysis, resulting in a systematic characterization of each data breach. The results indicate that in breaches the data are mostly subject to unauthorized access by outsiders, which frequently is made possible by poor security. The organizations directly responsible for that data are large organizations which get breached especially in their storage facilities. Next to the organization which got breached, these sizeable data breaches always affect individuals since at least part of the compromised data is about them or linkable to them. Usually this is not even discovered by the breached organization itself and sometimes only after a long period of time. Ultimately, it can be concluded that data are frequently caused by security misconfigurations and therefore are mostly preventable. On this basis, it is recommended that organizations responsible for sensitive data should be more incentivized to thoroughly combat security misconfigurations, instead of treating IT security as only a technical endeavor.

Malware presents a growing problem in a world that is increasingly connected to, and reliant on, the internet. The growing, devastating potential of cyber attacks such as DDoS attacks on society and economy is largely the result of a new class of devices, the Internet of Things (IoT), whose characteristic vulnerabilities make them easy targets to be compromised and controlled by malicious actors. This study employs a mixed-method research design to examine end-users' perceptions of the security of internet connected devices, their motivations for (non-)adoption of centralized DNS-based malware mitigation measures, and the efficacy of such services in mitigating malicious activity in a real-life environment. The results indicate that centralized DNS-based malware mitigation have significant potential in reducing end-user vulnerability to malware threats, but their adoption is hindered by lacking ability to assess threats and the value and efficacy of security measures.

The European financial sector is a frequent victim of banking malware leading to massive losses. It appears that not all customers’ banks are equally attractive targets among cybercriminals who deploy banking malware. This research established a comprehensive regression model explaining why certain banks are more attractive to cybercriminals. The model proves that large banks, banks that are part of a banking group, banks with a high brand value, and banks which websites have a high domain-popularity, bear a higher probability to be (more frequently) targeted. Two-factor authentication doesn’t seem as effective as might expected. The use of this security measure does not decrease the chance for a bank to be targeted. However, the presence of this measure has an influence on a lower target frequency. Furthermore, it is shown that banks offering a largely spoken language on their website do not ease the banking malware attacks. Further research is needed to enhance and improve the model. The independence in the model can be reduced and more bank characteristics could be added, especially factors related to the ease to launder money.

As software security expert Bruce Schneier argues, the pervasive vulnerability of embedded systems today is structurally similar to the security crisis of PCs in the mid-1990s—only much worse. Embedded devices are ideal malware targets for several reasons. Firstly, Internet-connected devices are inherently more exposed to remote exploitation. Furthermore, embedded systems are notoriously difficult to update, regularly leading to unpatched vulnerabilities. Last but not least, many such devices operate in a mostly unattended fashion, which means that the timely discovery of compromise is unlikely. Hardening is the process of securing a system by reducing its surface of vulnerability. Hardening of the already deployed embedded devices that are connected to the internet is examined in this research. A method capable of automatically generating and enforcing security configuration based on the embedded system’s set of functions has been designed and implemented. The proposed system is dynamic, automatic, and seamless. Hardening level of such devices is measured through recognized security benchmarks. The objective is to harden the product as much as possible while maintaining its full functionality. This study concerns embedded systems using custom Linux-distribution software. The thesis was conducted in cooperation with Atos. OpenScape Business series X (OSBiz X) was used as a case study. OSBiz X is an embedded system used as a telephony center, with more than 150.000 systems already deployed worldwide. Implementing the system described above on OSBiz X significantly increased the hardening-level of the product while its functionality remained intact. Due to the case study’s scenario results, Atos plans to integrate the proposed system into the next version of OSBiz X’s official release. Finally, ongoing research about other internal organization’s products that could greatly benefit from this approach is being conducted.

The frequency of online banking fraud incidents has increased over the last years. A method used by different cybercriminals is the injection of malicious code into the targeted web pages. For example, attackers might inject an additional piece code into the webpage of a targeted bank asking users to enter extra personal information (e.g., the PIN of the card). By comparing attack instances of web injected code attacks from different malware families an answer will given on how cyber criminals evolve the code of financial malware that is been used in injected code attacks against financial institutions. The contribution of this thesis is to verify the current literature of the existence of code re-use among different code instances using different code similarity tools and to explore how and why the code is evolved.

A portion of the digital fraud occurring on the dark web comprises the illegal exchange of vouchers, coupons, and stolen accounts, defined in this research as service fraud. Despite its existence, this type of fraud had not been previously explored. This thesis employs a quantitative approach to examine which company characteristics influence the target selection process, and the financial impact of service fraud, conducted on eight prominent underground markets, from 2011 to 2017. Initial understanding of the matter is provided by mapping out the digital fraud landscape; exploring and classifying into four categories the different types of service fraud. The direct costs of such fraud for the analyzed companies are quantified, showing that the sustained losses are relatively low compared to the figures reported in various resources. Regression analysis is used to model which characteristics make companies more attractive to cyber criminals, and how they influence losses suffered by businesses. Reputation and domain popularity are able to explain to an extent the frequency of being targeted. Furthermore, companies operating locally, as well as smaller businesses seem to experience higher financial losses. The implications of the results for businesses and society are discussed. Expanding the current model with other factors or additional data, such as employed security controls and strategies, as well as using different research methods could enhance this topic and provide more insights.

The rapid growth of internet-connected devices has led to a significant increase in the number of cyber attacks, resulting in security challenges related to IoT. Researchers have discovered a new attack technique that can be used for launching large DDoS attacks, which involves TCP reflective amplification by abusing middleboxes and IoT devices. In order to assist Internet Service Providers (ISP's) in mitigating this vulnerability present at their customers, a deeper understanding of this novel attack technique is needed. The thesis primarily focuses on exploring vulnerable devices and their end-users within the consumer network of a Dutch ISP, KPN. The ultimate goal is to gather more information on the types of vulnerable devices and actors involved to eventually assist an ISP in making informed decisions to remediate the vulnerability in their network. The study found that the problem can be described in two different issues: vulnerable middleboxes and vulnerable consumer IoT devices with broken TCP protocols. The problem of vulnerable middleboxes has been solved in the network of the Dutch ISP as manufacturers have released updates remediating the vulnerability. This is not the case for vulnerable consumer IoT, as updating consumer IoT devices does not necessarily address the vulnerability present in the devices that have been identified. However, vulnerability notifications can potentially be useful for end-users to encourage them to update their vulnerable devices. The study highlights the presence of vulnerable devices in the ISP network that cannot be remediated by updating the device due to the unavailability of a fix. This calls for the exploration of alternative notification methods like walled garden notifications for ISP's to address the issue as mail notifications seem not feasible at the moment of writing. While updating devices is a suggested solution, it may not be feasible for end-users with vulnerable consumer IoT devices, making it crucial for manufacturers to ensure their products have secure TCP protocols. While end-users are motivated and capable to keep their vulnerable devices up to date, whether or not they receive a vulnerability notification from their ISP, this action alone will not fully address the vulnerability as long as manufacturers remain unaware of the issue or fail to provide updates to remedy it.

Ultra-Wideband (UWB) technology became unregulated within the EU in 2007. Most recently, it was integrated into mobile phones in 2019, notably Apply and Samsung adding it to all their newer models. While UWB is characterised as a radio technology with any signal above 500 MHz, it operates within the 6-9 GHz range in mobile phones. This allows for fast data rate, low power secure communication, multipath facilities and accurate localization. While the integration of UWB is mostly advantageous to users and innovators, its ability of accurate localisation may lead to severe privacy concerns The aim of the thesis is to understand the privacy concerns of UWB’s integration into mobile phones by answering the main research question: how do experts and users perceive privacy concerns of UWB usage in mobile phones; and how can they be mitigated? It was subsequently broken down into three sub-research questions: 1. What are the possible applications of UWB in mobile phones? Phones have other incumbent radio technology embedded such as Bluetooth (BLE) and Wi-Fi, however it seems like UWB is being integrated to serve additional purposes. The answer to this question seeks to understand from gray and research literature how UWB can be used in mobile phones and what advantage it gives over incumbent technology. Research shows UWB gives phones the ability for indoor navigation, gesture-based control, foot traffic analysis for smart retail, teleconference systems, proximity-based localization, key-less entry among others. This leads to research question 2. What are the potential privacy concerns associated with UWB? The incorporation of new technology capable of accurate localization leads to privacy concerns. All privacy issues were categorised on the basis of three paradigms: social, surveillance and institutional mentioned in Gurses and Diaz, 2013. This was initially done by interviewing experts from the three groups of privacy experts, policy regulators and technology experts. Analysis of their answers showed that UWB privacy concerns seem relatively similar to BLE and Wi-Fi localization, albeit with higher granularity. UWB allows mobile phones companies, third parties and governments track people accurately indoors, push advertisements depending on location, obtain relative relationships between people based on distance leaving people with no place to hide. Subsequently, user interviews were carried out to see if they could identify the same concerns of UWB. Results showed that that from the data of users interviewed, all of them believed that accurate data localization of people is crossing a line that users cannot push back on. A majority of them saw most of the same privacy issues as the experts showing that, as people get more adept with technology they understand how it can affect their privacy. A common question that was asked across all the interviews was how can we protect our privacy in the face of such penetrating innovation as time lapses. Which is the final sub-research question: 3. What are technical and societal approaches to address privacy concerns? Experts provided solutions that were more industry oriented which included decoupling UWBfrom other location-based services, provision of opt-out settings on a more prominent basis, reworking license agreements, industry wide discussion and self-regulation in terms of privacy. However, users gave answers that were more user-centric and gave more control to the common public. This included users neggotiating their own privacy agreements, compensation models for loss of privacy, a more holistic regulation process and finally, trying to break the control of big tech companies. This shows that users and experts have very similar understanding of privacy issues but very different views on how privacy should be protected. Perhaps, it may be time for regulators to pay heed to user suggestions. These suggestions were then compared with privacy mitigation strategies mentioned in literature. Notably, the most overarching concept that needs to be incorporated is the concept of Privacy-by-design which can then be broken down into technical and societal strategies. Technical approaches included concepts such as obfuscation, k-anonymiser, differential privacy, dummy localization and access control mechanisms. All the technical strategies seemingly had the same issue of requiring third-party applications to function. Sophisticated security measures and privacy statements would then be needed to ensure these companies do not choose monetary gain over user privacy. Societal approaches included concepts of data-for-all, technical regulatory bodies and finally, breaking up of big tech companies. As time passes and innovations become more pervasive, it may be too late to incorporate privacy protection actively. The time to protect privacy is now.

IP spoofing is the act of forging source IP addresses assigned to a host machine. Spoofing provides users the ability to hide their identity and impersonate another machine. Malicious users use spoofing to invoke a variety of attacks. Examples are Distributed Denial of Service (DDoS) attacks, policy evasion and a range of application-level attacks. Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification and anonymity. Defeating these attacks requires operators to ensure that their networks filter packets with spoofed source IP addresses. This is a Best Current Practice (BCP), known as Source Address Validation (SAV). Yet, widespread SAV adoption is hindered by a misalignment of incentives: networks that adopt SAV incur the cost of deployment, while the security benefits diffuse to all other networks. The challenges posed by SAV adoption exemplify the failure of traditional governance models to provide solutions in the Internet ecosystem. Policy interventions usually require transparency in measurements to quantify and assess the vulnerability landscape. However, measuring SAV requires a vantage point inside the network or in the upstream provider of the network. Once a packet with a spoofed source address leaves the upstream network provider, it is almost impossible to ascertain its origin...@en

In recent years the number of Internet-connected devices (aka as Internet of Things (IoT)) has increased dramatically. IoT Manufacturers have launched into the market a variety of IoT products to make a profit, while users buy them for the convenience of the technology. Despite IoT technology’s benefits to society, infected IoT devices with malicious software (malware) are a serious security concern. For instance, in 2016, we witnessed one of the largest Distributed Denial of Service (DDoS) attacks facilitated by IoT devices. This attack disrupted major well-known websites, including Twitter, Spotify, Github, and others. Infected IoT devices cause negative externalities. A negative externality is the cost that third parties, who are neither the seller nor the buyer of IoT devices, must incur to protect themselves against DDoS attacks. In the traditional personal computer world, compromised machines can be remedied with self-service solutions like antivirus. However, there is a lack of such tools to help users remove malicious software once it has taken hold for the wide variety of IoT devices. This, in turn, creates usability issues for users in the IoT space. To remediate infected IoT devices, users may need to take different actions. These actions depend on the device type, its manufacturer, patches or software updates available, and available settings of the device. Some Internet Service Providers (ISPs) (referred interchangeably as intermediaries in this dissertation) have undertaken the task of notifying users about infected IoT devices in their home network. These types of notifications can aid the threat detection mechanisms of infected IoT devices for users. Considering that the IoT technology has certain limitations, and users will have to deal with infected IoT devices, and the aforementioned actors are involved, we set ourselves to answer the following research question: How can users mitigate infected IoT devices? And what role can manufacturers and intermediaries play in supporting them? To answer this question in short users require information and actionable advice to take appropriate actions. Manufacturers need to improve security practices, such as removing default credentials from the setup process of IoT devices. ISPs can facilitate threat detection through notifications and DNS-based prevention. The results of this dissertation, suggest that governments should incentivize intermediaries and manufacturers to address this issues, and collaboration among stakeholders is essential since users alone cannot mitigate infected IoT devices even though they are motivated.@en